In an Enterprise PKS cluster, the api server certificate configmap consists of multiple certificates in the chain
Article ID: 316789
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
Two certificates are returned when running the following command to fetch the api server certificate:
kubectl -n kube-system get configmap extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}'
Two certificates are returned when running the following command to fetch the api server certificate:
kubectl -n kube-system get configmap extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}'
Environment
VMware PKS 1.x
Cause
The certificates returned are:
- The certificate for the CA that signed the kube-api cert
- The certificate that the kube-ctrlr-mgr uses to sign certs that get requested from the K8s cluster itself
Resolution
This is an expected behavior and not an issue.
Reference Manage TLS Certificates in a Cluster for more information on this topic.:
Additional Information
Feedback
Yes
No
Powered by
